Java Spring安全XML配置和设置权限

我正在尝试配置一个筛选器，以便使用Ping Federate对我的web应用进行预身份验证。我希望在访问除“/login”以外的所有资源时运行此筛选器

也就是说，除了“/login”，每个页面都应该经过一个过滤器

我使用的是SpringSecurity 3.2，我知道

<security:http pattern="/login" auto-config="true" security="none">

这是一种新的写作方式

<intercept-url pattern="/login*" filters="none" />

但是，在将security='none'添加到我的XML配置文件时，当我访问localhost:8080/login时，仍然会选择过滤器

下面是我的XML配置文件：

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <context:annotation-config />
    <context:property-placeholder />

    <security:global-method-security
        pre-post-annotations="enabled" />
    <bean id="resourceLoader" class="com.foo.bar.ResourceLoader">
        <constructor-arg value="${PING_IDENTITY_CONFIG_FILE_NAME}" />
    </bean>
    <bean id="openTokenReader" class="com.foo.bar.OpenTokenReader" />



    <security:http pattern="/login" use-expressions="true" security="none" />



    <security:http use-expressions="true" auto-config="true"
        entry-point-ref="http403EntryPoint">
        <security:custom-filter position="PRE_AUTH_FILTER"
            ref="openTokenFilter" />
        <security:session-management
            invalid-session-url="/login" />
        <security:session-management>
            <security:concurrency-control
                max-sessions="1" error-if-maximum-exceeded="true" />
        </security:session-management>
        <security:logout />
    </security:http>


    <bean id="openTokenFilter"
        class="com.foo.bar.OpenTokenRequestAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="logoutURL" value="${PING_IDENTITY_LOGOUT_URL}" />
        <property name="authenticationFailureHandler">
            <bean
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                <property name="defaultFailureUrl" value="/login" />
            </bean>
        </property>
    </bean>

    <bean id="preauthAuthProvider"
        class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService">
            <bean id="userDetailsServiceWrapper"
                class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="customUserDetailsService" />
            </bean>
        </property>
    </bean>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="preauthAuthProvider" />
    </security:authentication-manager>

    <bean id="customUserDetailsService" class="com.foo.bar.UserDetailsServiceImpl"></bean>
    <bean id="http403EntryPoint"
        class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean>

</beans>

---

我已经尝试了几乎所有我能想到的方法，对于一些应该非常简单的东西，我已经有很长一段时间无法解决这个问题。

在映射到控制器方法时是否有后缀“.Do”之类的？不，我没有，我应该吗？不。你能从web.xml提供servlet映射配置吗？我正在使用spring boot，所以我没有web.xml文件..我开始认为这可能是问题的一部分了Okey，show config在哪里初始化servlet。